RODC and Writable DC in the same site

Question

I have 1 RODC currently in site A, now I would like to add in another Writable DC into site A and then when new writable DC is up then I will demote the RODC.

So Im wondering can I add RODC and Writable DC in the same AD site? Will there be any authentication issue or conflict occur?

Thank you.

Answer 1

Hi,

You can have a RODC and Writable DC in the same site, authentication requests can be serviced by either DC. If there is a write request, the request will be serviced by the writable DC. The netlogon DsGetDcName function is used to find a suitable writable DC using the DS_WRITABLE_FLAG.

Gary.

Answer 2

It is not recommended to keep RODC with writable DC. You can keep both of them together but it does not mean you should do it. You can jump from 20th floor of a building does not mean you should jump from it.

Let me explain why:

RODC does not have krbtgt account password, instead it has it's own krbtgt_xxxx password which it uses to encrypt TGTs. If a user who has a TGT from writable, reaches an RODC for service ticket and provies the TGT, RODC can't decrypt it as it is signed by krbtgt account which it does not have. Althgouh, it is not a fatal error and the client does another request against the DC.

This process will create more bandwidth and may result in delay in application access.

Also, keeping RODC with writable just does not serve the purpose. RODC were introduced to keep in a site where you have less physical security.